Add passkeys to the list of things that didn’t advance as much in 2024 as we thought they might. This technology for passwordless authentication is here and it works—streamlining a login to a single tap of a fingerprint sensor—but many companies might as well be stuck in 2020.
Meanwhile, the organizations that do offer passkey authentication options continue to find enough different ways to support them that users can find they save little or no time in practice.
And yet the need to stop relying on passwords for account security should be more obvious than never. “Long story short, passwords suck,” said FIDO Alliance CEO and Executive Director Andrew Shikiar at a conference on identity and authentication in Washington this week.
Shikiar outlined how the traditional add-on to passwords, multi-factor authentication, is becoming a brittle backstop as attackers leverage generative AI to write increasingly persuasive phishing emails to fool targets into typing MFA codes into the wrong sites.
Passkeys, however, can’t be fooled by phishing sites since the quick and silent exchange of cryptographic keys that makes them work won’t even start without the correct site involved.
Citing such mass-scale passkey rollouts as those of Amazon (175 million passkeys created) and Google (more than 800 million accounts now have passkeys), Shikiar offered this prediction for 2025: “Passkeys become a mainstream authentication method.”
A Phase of Strong But Early Adoption
A year ago, Shikiar gave a similar keynote in which he forecast that in 2024, the number of passkey-enabled accounts would “march towards 20 billion.” His presentation on Tuesday cited that prediction and also reported the current total: 15-plus billion.
“We’re in a phase of strong adoption,” Shikiar told me after his presentation “But it’s still early adoption.”
In particular, the airline and hotel firms he cited as obvious candidates for passkey adoption—in part because the last-name field on many of their log-in screens can trip up password managers—have barely budged.
Hyatt’s smooth rollout of passkey authentication doesn’t seem to have inspired any comparable upgrades at Marriott or Hilton, and passkey deployments of foreign airlines like British Airways and Air New Zealand have not been followed by similar moves at domestic carriers.
“I still think travel and hospitality will be a growth area this year,” Shikiar said, pointing to how the fingerprint that unlocks a passkey is not something you can forget like a regular password.
In his keynote, Shikiar also said an unnamed major American bank is set to start offering passkey authentication. He declined to offer hints about the bank’s name in our conversation.
Too Many Cooks Can Mean Too Many Clicks
Among companies that do welcome passkey logins, other problems have emerged. Some don’t call passkeys “passkeys”—the government’s login.gov service sticks to the phrase “face or touch unlock”—while others require some form of MFA verification even after a passkey login.
“A lot of companies that are employing passkeys are still improving their user experience,” Shikiar said. “Every company has their own technology teams, their own technology debt oftentimes.”
The passkey design guidelines published by FIDO (short for “Fast Identity Online”) emphasize seamlessness. They recommend that sites allow browsers and password managers to autofill passkeys, then present the user with a biometric sign-in button they can act on immediately.
On the user end of the passkey process, meanwhile, early and aggressive support by operating-system and browser vendors can create a different problem: a surplus of prompts tugging at your sleeve to use their own passkey service even if it won’t work on some of your devices.
Ars Technica security reporter Dan Goodin called out this behavior in late December, writing that “there are too many cooks in the kitchen, and each one thinks they know the proper way to make pie.” Goodin said he had the best experience using a password manager to create and sync passkeys, but that expecting people who have yet to adopt passkeys to set up a password manager first “would be a travesty.”
Recommended by Our Editors
Asked about that veteran security journalist’s critique, Shikiar called it “fair.”
A more comprehensive fix to the problem of vendors competing to snatch our passkey business—secure portability that would let you move collections of passkeys between services—is on the way. Said Shikiar: “We hope to have a published draft later this year of the specification.”
Progress on Other People’s Computers
Some of the most heartening news about passkey authentication involves not personal but corporate computers. At best, companies such as Cloudflare that thought to adopt passkey authentication early on—often stored in dedicated USB security keys that an organization can buy at bulk discounts—have had phishing attacks bounce off them.
(The same hackers who went after Cloudflare also targeted the messaging-services firm Twilio and succeeded by fooling employees there into typing MFA codes into phishing sites.)
The second-best version of that is corporate responses to getting hacked that go beyond the usual apologies and free credit monitoring services for their customers to include deploying passwordless authentication.
T-Mobile, for example, faced a Federal Communications Commission mandate to upgrade its information security with MFA after a massive 2021 breach, but then elected to go one step beyond and bought more than 200,000 Yubico security keys for its employees.
“It’s unfortunate that some companies do so after the fact,” Shikiar said. But at least they can stop the next attempt to get an overworked IT type to enter a password and then a one-time code into a malicious site.
“We can’t stop people from answering the phone call about the IRS demanding everything,” Shikiar said. “But anything credential-related, we can stop.”
Like What You’re Reading?
This newsletter may contain advertising, deals, or affiliate links.
By clicking the button, you confirm you are 16+ and agree to our
Terms of Use and
Privacy Policy.
You may unsubscribe from the newsletters at any time.
About Rob Pegoraro
Contributor
